The Top Five Worst DNS Security Incidents

Preserving Internet security is often an iterative process, with defenders aware that they must be responsive as well as proactive in order to stay one step ahead of would-be attackers. Software developers must respond to vulnerabilities discovered in their code, anti-virus service providers must respond to new variants of malware, and enterprises must repair the holes in their networks when they are found; Promptly.

The good guys are not always triumphant, the bad guys not omnipotent; but for every successful attack there are many lessons to be learned. This is especially true for some of the Internet's most significant and damaging security incidents. Here, I will outline five of the most notable attacks in the last 10 years of the Internet's domain name system, along with the valuable lessons that can be taken away from them.

5. A security firm put out of business by DDoS

Any attack can be said to be the most important attack in the world, if you're the victim. And for the small anti-spam company Blue Security, that statement was truer than for most. The Israeli-American start-up was hit by a distributed denial of service attack on its DNS services in early May 2006, and it went out of business less than two weeks later.

Blue Security offered a controversial anti-spam service, designed to force spammers to remove its customers from their databases through sheer volume of complaints. Instead, some high-profile spammers fought back, orchestrating a large DDoS attack against Blue Security's DNS infrastructure. The company responded by updating its DNS records to direct visitors to its corporate blog, which was hosted by Six Apart. This redirection effectively reflected the attack at Six Apart's popular blogging services, rendering ten million blogs unusable for several hours.

Two weeks later, Blue Security announced it would cease operations as an anti-spam company. The spammers had won, and the company had learned that allowing DNS to remain a network bottleneck is a risk that could have tragic consequences for both a company and its partners.

4. Attackers hijack ICANN's domain names

On June 26, 2008, Web surfers visiting icann.com were greeted with a message from a hacker gang calling itself NetDevilz. These kinds of Web page defacement attacks are sadly quite common, but this incident was especially notable because it targeted DNS and because ICANN , the Internet Corporation for Assigned Names and Numbers, is the organization charged with the technical coordination of the security and stability of the DNS.

The attack was found to have used social engineering to persuade ICANN's domain name registrar to change the name servers for icann.com, and several related domains, to point to a server the attackers controlled. The changes were noticed and rolled back within 20 minutes, but the erroneous information had already propagated throughout the DNS and continued to send visitors to the defaced page for up to 48 hours after the initial attack.

This incident, among others, prompted ICANN’s Security and Stability Advisory Committee (SSAC) to create a set of best practices that registrars should implement in order to keep their customers' domain names secure. (SAC040: http://www.icann.org/en/committees/security/sac040.pdf) The recommendations suggest that registrars managing high-value domain portfolios provide stronger password management systems, multi-factor authentication, more granular access controls and back-channel notifications when important changes are made, among other measures. (Note: I was one of the authors of SAC040).

3. Conficker demands a global response

Conficker was a worm that emerged in November 2008 which targeted vulnerable Windows devices and quickly became some of the most damaging malware of all time. Later versions of Conficker randomly generated a list of tens of thousands of domain names over 100 generic and country code top-level domains in an attempt to massively distribute its command and control centers and simultaneously replicate itself.

Conficker was only finally mitigated after a coordinated effort by dozens of organizations including Microsoft, ICANN, law enforcement, and the affected domain name registries (including my employer, Afilias) and registrars. By cutting off the worm's C&C centers, this ad hoc effort was able to reduce the risk posed by the rapidly growing Conficker botnet. The lesson to be learned here is that the Internet is a cooperative environment, and that sometimes the best way to address a serious threat is through collaboration.

2. DDoS attacks shake the DNS foundations

There have been two major reported DDoS attacks on the master servers of the DNS addressing system (the DNS root servers) over the last decade. The first attack lasted for just over an hour on October 21, 2002 and reached a total attack volume of 900 Mbps. While the root server operators were even then no strangers to malicious activity, the attack was unusual in both its scale and in that it targeted all 13 of the DNS root servers simultaneously, impairing performance at nine.

While end users remained largely unaffected by the incident, it was a wake-up call to the DNS industry. Efforts began immediately to add redundancy to the root system by broadly mirroring servers using IP Anycast. This technology allows the same logical DNS server to be present in dozens of physical locations simultaneously. The 13 roots quickly became, in effect, hundreds.

Almost as if to prove the effectiveness of Anycast, a second major coordinated attack on the DNS, took place sporadically over several days in February 2007 and was over twice as large as the 2002 event. It only succeeded in noticeably degrading performance at two of the 13 roots – the two that had not implemented Anycast. The lesson is clear – using Anycast to mitigate risk can help organizations minimize the effects of DDoS activity. For organizations where deploying Anycast is a burden, choosing a Managed DNS service provides the same advantages at a great value.

1. “The Kaminsky Bug” puts the whole Internet at risk

Often regarded as possibly the greatest security threat the Internet has ever faced, the so-called “Kaminsky Bug” emerged in July 2008, creating great unease and even greater hype. Researcher Dan Kaminsky discovered that it was easy to exploit a weakness in the DNS and built the software to do it. This weakness would enable malicious hackers to transparently imitate any Web page or e-mail account by poisoning the DNS information cached by Internet service providers.

It was only after the secret, concerted effort of security experts, DNS software developers, ISPs and Kaminsky himself that the risk from this bug was substantially mitigated before it could be broadly exploited. But it was not eliminated entirely. Today, DNSSEC, the new standard security extensions for the DNS protocol, offers the best way of preventing the kind of cache poisoning attack that Kaminsky's findings would have enabled.

In much the same way as the root server operators and others reacted to the increased risk of DDoS attack by implementing IP Anycast technology, today it is incumbent on those who value the security of their DNS to start to develop plans to deploy DNSSEC.

Edmund Burke once said, “Those who don’t know history are destined to repeat it.” Take the lessons learned from these important DNS security

Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.